The infected application has been downloaded more than 3 million times
Maxime Ingrao, a security researcher at cyber security firm Evina, has discovered a new family of malware that can infect Android apps on Google Play.
It was named autolycos-after the Greek mythological figure of the same name, known for his mastery of theft and deception. And that’s exactly what the malware does.
Ingrao has 2021 eight infected apps on the Play Store — downloaded more than 3M Times — since June.
How does Autolycos Work?
According to Evina’s report, Autolycos’s primary goal is to subscribe to advanced direct carrier billing (DCB) services for users without their knowledge or consent.
Unlike the Joker malware that starts the invisible browser and uses the Webview, Autolycus initiates fraudulent attempts by executing HTTP requests without using the browser.
For some steps, it can perform urine on a remote browser and embed the result in an HTTP request.
Here’s how Autolycos gets the verified PIN code by reading the phone’s notifications.
The malware’s mode of operation makes it difficult for Google to distinguish between infected and legitimate applications. That’s why it hasn’t been found for so long.
To try to deceive as many users as possible, the cybercriminals behind Autolycos promoted the apps on Facebook pages and ran Facebook and Instagram apps.
Ingrao identified 74 ad campaigns for one of the infected apps: the Razer keyboard and theme app.
Clues have also been found in Asia and various European countries, including Spain, Austria, Poland and germany-suggesting a startling expansion.
What are the infected applications?
Avena and Ingo shared a list of eight applications that had found malware.
- Razer Keyboard & Theme – 10,000+ downloads
- Vlog Star video editor-1,000,000 + downloads
- Interesting camera-500,000 + downloads
- Coco Camera-1,000 + downloads
- Creative 3D Launcher-1,000,000 + downloads
- GIF keyboard-100,000 + downloads
- Freeglow camera-5,000 + downloads
- WOW Camera -100,00 + downloads
Interestingly, Ingo told Bleepingcomputer that he had notified Google in June of the 2021. Although the company acknowledged receiving the report, it took up to six months to delete the first set of six apps, which led the researchers to make them public on Twitter.
On July 13th Google removed the last two. Interesting camera and Razer keyboard and theme. If you want to check out what these apps look like, you can find them in Eyvirat’s report.
However, I found an application that looked suspicious with the deleted Vlog Star Video Editor.
It has the exact same picture and description, only now it’s called the Vlog Star Video Maker.
Take a look.
This means that we should be vigilant even if the identified application is removed, because the fraudsters behind the malware may continue to introduce infected applications.
How to protect yourself
There is no bulletproof strategy for avoiding application malware, but there are some simple steps you can take.
- Do not give the application permission to read your text messages at installation time. Also check permissions for third-party data sharing.
- Read the comments!
- Keep Play Protect active.
- Don’t download any applications easily.
- Remove applications that you no longer use.